How to sanitize text input in WordPress using sanitize_text_field

The sanitize_text_field function in WordPress is used to clean up a text field input by removing any potentially harmful characters or code. This can be useful in preventing security vulnerabilities such as cross-site scripting (XSS) attacks, as well as ensuring that user input is safe and sanitized before being stored or displayed on a website.

By using the sanitize_text_field function, developers can ensure that any text input from users is cleaned and sanitized, reducing the risk of malicious code being executed or displayed on the website. This function helps to maintain the integrity and security of the website’s data and content.

Parameters accepted by the WordPress sanitize_text_field function

  • $str (string, required): String to sanitize.

The sanitize_text_field function accepts one parameter, which is a string that needs to be sanitized.

Value returned by the sanitize_text_field function

The function returns a sanitized string.


How to sanitize user input from a form field

$user_input = $_POST['user_input'];
$sanitized_input = sanitize_text_field($user_input);

This code snippet takes the user input from a form field using $_POST and then sanitizes it using the sanitize_text_field function. This helps to remove any potentially harmful characters and ensures that the input is safe to use in the WordPress database.

How to sanitize a custom field value before saving it to the database

add_action('save_post', 'my_custom_save_function');
function my_custom_save_function($post_id) {
 if (array_key_exists('custom_field', $_POST)) {
 $custom_field_value = $_POST['custom_field'];
 $sanitized_value = sanitize_text_field($custom_field_value);
 update_post_meta($post_id, 'custom_field', $sanitized_value);

This code snippet demonstrates how to use the sanitize_text_field function to sanitize a custom field value before saving it to the database. It first checks if the custom field exists in the $_POST array, then sanitizes the value using sanitize_text_field before using update_post_meta to save it to the database.

How to sanitize a query parameter before using it in a custom WP_Query

$query_param = $_GET['query_param'];
$sanitized_param = sanitize_text_field($query_param);
$args = array(
 'meta_query' => array(
 'key' => 'custom_field',
 'value' => $sanitized_param,
 'compare' => '='
$custom_query = new WP_Query($args);

In this code snippet, we first retrieve a query parameter from the $_GET array and then sanitize it using sanitize_text_field. The sanitized parameter is then used in a custom WP_Query to search for posts with a specific custom field value.


In conclusion, the sanitize_text_field function is a crucial tool for developers looking to ensure the security and integrity of user input in their WordPress projects. By using this function, developers can effectively remove any potentially harmful characters or code from text fields, preventing potential security vulnerabilities and ensuring a safer user experience. It is important to incorporate this function into your development workflow to maintain the highest standards of security and data integrity. Overall, the sanitize_text_field function is an essential component of WordPress development, and its usage should be prioritized in any project.